Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot Update Virus Protection - Internet Access problem

Status
Not open for further replies.
cybersteve

cybersteve

Technical User
Mar 1, 2002
2
I am running a Windows 2000 Server, SP 2 and using Backup Exec version 8.5. In tightening server security by limiting
via TCP/IP Filtering, the TCP ports and IP Protocols; I have this problem:
If I allow ALL TCP ports then Backup Exec connects and updates the virus protection.
If I limited TCP ports to 25 (email), 53 (dns), 80 (http)
and 110 (IE browser & Norton AV) they work but Backup Exec can not access the update site???
I assume it uses a different port than 110.
I allow all UDP ports and limit IP Protocols to 4 & 6.
Do you know how to resolve this? Thank you...........
 
Sort by date Sort by votes
Veritas uses FTP to update its virus definition files. You need to enable TCP ports 20 and 21 to allow ftp traffic.
 
Upvote 0 Downvote
Thank you for your reply! I added port 20 and 21. Still didn't work. I found an ftp article that says if the ftp site use active ftp, port 21 is the initial control channel connection from the requestors machine. The ftp server uses
port 20 to establish a local channel on the requestors machine (port range 1024 through 5000) and sends the update data file. So, if I allow ALL TCP ports it works. If I have ports 20 and 21 it fails. How do I pick which local machine ports to add?? If my server has retrieved email, browser use, norton update; then windows just increments the
next available channel number - 1024, 1033, 1049, 1067 etc.
thanks for any added help!
 
Upvote 0 Downvote
I had a similar problem with the virus protection update as there isn't any form of setup dialog available for it.

My main problem I feel came from my 'All' protocol rule which is restricted to Domain Users only.

In my situation I found the following rule & filters helps:

Protocol Rule
Scope: Array
Action: Allow
Protocol: FTP
Applies to: Any Request
Schedule: Work Hours (custom schedule)

IP Packet Filters
Mode: Allow
Filter Type: Custom filter
Local Computer: Default External IP address
Remote Computer: Any
Protocol: TCP
Direction: Both
Local Port: All ports
Remote Port: 20

Mode: Allow
Filter Type: Custom filter
Local Computer: Default External IP address
Remote Computer: Any
Protocol: TCP
Direction: Both
Local Port: All ports
Remote Port: 21

And that seems to work fine and dandy. However, I'm not entirely sure that this is the most secure method. If anyone has any comments on securing my protocol rule and IP packet filters further then please tell me (I have little faith in my ISA rules & packets).

Cheers
Ahdkaw
Laptop Cauldrons run Thudex GUI
 
Upvote 0 Downvote
If it were using PASV FTP would that not require ports >1023 open ? - allowing to external >1023 ?

else on active >1023 to external 21.

If you have the ability to log you could always clear it, attempt the update and see what was going on in the log.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nohelp
  • Locked
  • Question
NBU 7.6.1.1 update?
Replies
0
Views
63
nohelp
nohelp
adam1991001
  • Locked
  • Question
Problem with Netwotker 8.2.0.1 some client override my previous backup
Replies
6
Views
108
605
605
iancrowl
  • Locked
  • Question
client updates in a dmz
Replies
0
Views
58
iancrowl
iancrowl
colkas2012
  • Locked
  • Question
Backups Failing but cannot understand why
Replies
3
Views
94
sandyboy
sandyboy
falloutsam
  • Locked
  • Question
Update an existing media database
Replies
3
Views
84
v1nsr
v1nsr

Part and Inventory Search

Sponsor

Back
Top